Cyber Insurance
Cyber insurance in India is at a nascent stage and there is an effort required to create an awareness about its critical role in countering cyberattacks:
Areport prepared by US-based Allied Market Research put the cyber security market size at $104.60 billion in 2017 and projected to grow to $258.99 billion by 2025, a CAGR of 11.9% from 2018 to 2025. As cyber threats become universal, finding security solutions too have become critical. Alongside, corporates have become aware of the relevance of cyber insurance as the threats change faster and solutions
sometimes become inadequate. Today, protecting the computing environment is almost obsolete and security experts are looking at having a strong cyber security governance in place marked by coordinated efforts to make the entire information ecosystem penetration-proof and having strong cyber insurance cover. In fact, cyber insurance sits atop all other security measures, which are prone to fail at some time or other, and there are expenses towards retrieving the system and meeting damages on account of litigation initiated by affected customers. Cyber insurance, especially for banks and financial services institutions, is expected to cover the main concerns and protect and business loss in case of a cyber attack. Ideally it covers first-party and thirdparty liability.
Anurag Rastogi, member of executive management, HDFC ERGO General
Insurance, points out that the penetration of internet is growing at a rapid rate in India with smart devices being an integral part of our lives. “Owing to this and the increase in cybercrimes and frauds, there is a demand for cyber insurance among corporates as well as individuals in India and cyber insurance, therefore, is constantly evolving to cover the growing cyber risks across the globe,” says he.
However, he admits while there is a rise in demand for cyber insurance, the adoption is still limited.
TOP BUSINESS RISK
We cannot overlook the inherent need for cyber insurance given the serious threat cybercrimes pose to Indian corporations as well as individuals. Sasikumar Adidamu, CTO, Bajaj Allianz General Insurance, cites the results of Allianz Risk Barometer 2019 survey and says cyber incidents have been considered as the top business risk in India for 2019 with companies increasingly concerned in the wake of mega data breaches, privacy scandals and major IT outages.
“A couple of years ago cyber attacks were elementary, but with the increased interconnectivity and frequency of online transactions and eCommerce, there has been a substantial rise in the severity and frequency of cyberattacks. At Bajaj Allianz General Insurance, we would earlier receive requests for cyber insurance from large corporates and MNCs, especially companies involved in IT related services, but recently we are witnessing an increase in inquiries from SMEs, startups and smaller businesses across sectors. Cyber insurance for individuals is, however, at a nascent stage in our country due to very little awareness about this cover. We only see the demand for this cover increasing as our cyber/virtual lives become as elaborate, complex and important as our real lives,” he adds.
According to Jayant Saran, partner, Deloitte India, while the adoption of and demand for cyber insurance has increased tremendously over the past 18 months, it has not kept pace with organizations and their exposure to incidents involving breach or vulnerabilities in cybersecurity. This exposure has been much higher, says he. He also mentions that organizations primarily from the BFSI sector have been early adopters/the first to adopt cyber insurance, to secure themselves.
DATA BREACH
Saran says the primary type of threat covered in cyber insurance is data breach. Data breach can occur due to a number of risks such as insider threats and poor security controls. Another frequent type of attack is business email compromise, triggered by phishing email or malware. Ransomware finds it tough to receive coverage, although it is highly prevalent nowadays. This is because data once compromised and held ransom, is too complex to investigate due to the limited footprint left by the perpetrator and/or limited or no logging information being retained by the organization.
Cyber insurance has made a beginning in India, but it is yet to mature, feels Na Vijayashankar, privacy and data protection consultant and chairman, Foundation of Data Protection Professionals in India. He quotes a Data Security Council of India (DSCI) study to say around 350 corporate policies have been underwritten in 2018 in the corporate sector and retail polices have been introduced by 2 companies but these are yet to make an impact though there are some 15,000 retail policies in circulation in the country.
Vijayashankar also says banking is one sector which has adopted cyber insurance because RBI has more or less mandated it. The IT industry involved in data processing is now slowly showing interest in a limited way, he adds.
TYPES OF RISKS COVERED
The types of threats and risk that are covered in the cyber insurance policies available in India include identity theft, unauthorized transactions, reputational injury, cyber bullying, cyber extortion, malware intrusion, legal expenses, data restoration costs, forensic costs, consequential loss and psychological counselling.
Ar jun B ha ska ran, directorCyber security, GENLIFE-RE Insurtech, is of the view that while cyber insurance has a very high potential, it is in a nascent stage, mainly because retail cyber insurance is a low ticket size transaction, and therefore, agents will not be spending time and effort to promote and sell it. In corporate cyber insurance, most of the insurance brokers and their employees are not conversant with the products, features and nuances of cyber insurance, says he.
TPA SYSTEM NEEDED
He strongly advocates a system of TPAs in cyber insurance, which he feels will bring in better trust and confidence in the minds of retail, SME customers about independent and fair claim settlement. Also, it will bring in (a) processing capacity, (b) specialized knowledge to handle cyber investigations, forensics in handling volumes of claims and (c) fraud prevention and control.
He says cyber insurance is relevant for 3 layers of the Indian market – enterprise, SME and retail. “The Indian SME and retail markets can be among the largest markets in the world for cyber insurance, because India is the among
the top 3 countries that are vulnerable to cyberattacks and breaches and India is among the largest and fastest growing adopters of internet usage, smartphones, IoT, etc. The quantum and value of personal, financial and health information makes India one of the most vulnerable to exploitation by cybercriminals,” he points out.
EARLY ADOPTERS
Arjun Bhaskaran also says while BFSI, IT/ITES and telecom are early adopters by virtue of having mission-critical IT applications and high levels of IT maturity, industries like healthcare, education, retail, and hospitality are equally important even though they are low on IT maturity. “In fact, because of their lower IT maturity and lower internal IT and Cybersecurity capabilities, they are more eager to adopt cyber Insurance,” says he.
Sasikumar Adidamu of Bajaj Allianz General Insurance says the earliest adopters of cyber insurance are the BFSI and IT/ITES sectors, the former due to large exposure and the latter often due to contractual requirements. “This changed with time and these two sectors have adopted cyber insurance rapidly. With time, the manufacturing and hospitality sectors too are catching up. We are seeing a spike in the number of enquiries after any major incident and while number of conversions are going up, the gestation period still remains a few months and the conversion rate is still low,” says he.
COVER AGAINST CRIMES
According to Anurag Rastogi of HDFC ERGO General Insurance, cyber insurance has become crucial for all companies, irrespective of their size. “Sectors and industries that have exhaustive data repositories like BFSI, eWallet service providers, eCommerce portals, telecom, technology companies and pharma/ healthcare are the major adopters of corporate cyber insurance. We have also seen inquiries from manufacturing, infrastructure and other sectors. Having said that, BFSI remains the major buyer of cyber insurance,” says he.
He says the usual covers under corporate cyber insurance include covers such as losses arising from eTheft, eCommunication, eThreats, business interruption and others. The policies also cover third-party suits against the insured for disclosure, reputational conduct and content related liability claims. Forensic experts’ cost, notification costs in case of data breach, the cost for regulatory response and rewards expenses also gets covered under the policy.
HDFC ERGO offers cyber insurance cover for both individuals and corporates. Its flaship E@Secure insurance policy covers an individual from major cyber risks such as unauthorized online transactions made on an individual’s bank account/debit or credit card by a third party for purchases over the internet. In addition, it covers the damage caused to an individual’s reputation in case a third-party publishes any harmful information on the internet. Further, the policy provides necessary legal protection against the costs of pursuing and defending legal actions and provides a special feature of extending the cyber cover to the individual’s family, covering their spouse and two dependent children with no age limit.
The company has been offering corporate cyber insurance cover since 2012 covering threats of cyber exposures associated with eBusiness, internet, networks and information assets. The policy essentially covers financial losses due to data theft, fraudulent communication, eVandalism and unauthorized transfer of funds/property. In addition, it covers the cost of hiring a professional negotiator and public relations consultant, if required. However, it does not cover for losses in case the company is found guilty of violating the laws or in the case of mechanical failure. It introduced E@Secure for individuals in 2018, which covers loss or damage arising directly due to one’s activities over t the internet.
Bajaj Allianz General Insurance offers insurance cover to safeguard against cybercrimes like cyber extortion and cyber attacks that can possibly affect an organization or individual. Its Cyber Protect, a digital business and data protection insurance for companies, typically covers privacy and data breach, business interruption, hacker theft, cyber extortion, crisis communication and consultant services. “Any company or corporate irrespective of its industry can opt for this policy. Coverage inclusions under cyber insurance for corporates may vary with each industry, says Sasikumar Adidamu.
Again, the company’s ‘Bajaj Allianz Individual Cyber Safe Policy’ covers financial loss resulting from being an innocent victim of email spoofing and phishing, losses and expenses related to defense and prosecution cost related to identity theft, IT theft loss, restoration cost to retrieve or reinstalled data or computer program damaged by entry of malware. It also provides coverage for expenses incurred on counselling services treatment, claim for damages against third party for privacy breach and data breach, cyber extortion loss and transportation for attending court summons.
BUYING A COVER
What are the key factors to be considered
while buying cyber insurance (a) by an individual and (b) by a corporate?
According to Anurag Rastogi, the primary consideration while buying a cyber insurance policy should be taking stock of all the threats one may be exposed to online, so as to buy a relevant policy and suitable add-on covers. Besides these, both individuals and corporates need to be cognizant of the inclusions and exclusions under their policy. It is important to check the sub-limits for the risks covered, he says, adding one should also check the validity of the policy in order to do a timely renewal without break.
Individuals, according to him, must consider their exposure and their dependency on the internet. They must also consider their family’s exposure ie. the spouse and dependent children who access the internet. “In order to ascertain the sum insured, it is best to consider an individuals’ average spends online or the credit card/eWallet limit. The insurer will look at the individual’s past experience and loss history online if any. This is because any loss arising out of past acts will not be covered under insurance,” says he.
Corporates, he adds, need to be mindful of the gravity of data that gets stored in the system, the geographical spread of the business (whether exposed to GDPR countries), compliance requirements such as PCI and HIPPA. Online presence of the company and outsourced activity also plays an important role here, he adds.
Sasikumar Adidamu says at the corporate level, companies need to evaluate the potential risks as well as the coverages offered. “For instance, a company, which holds a lot of customers’ information (say a food delivery app, financial institution or a social media site), would want to make sure that privacy and data breach liability are covered. In order to retain coverage under policy terms, companies need to pay due diligence to avoid the cyber risks in the first place. A robust data and cyber security infrastructure ensures that there is no callousness in dealing with cyber threats. Companies need to also have a strong recovery plan and backups in place. They need to constantly change and evaluate the infrastructure and prepare a framework to tackle these hostile forces online. Updating and upgrading continuously and an appropriate cover is the only way to guard against these emerging new types of cyber risks,” says he.
Individuals, he adds, need to match the policy coverage with their needs and select the sum insured according to their exposure. They must check the coverage and exclusion section of the policy to ensure that his needs are being met by the policy.
PREMIUMS, CALCULATION
Premiums and their calculation are crucial in insurance business. Jayant Saran of Deloitte India says cyber insurance premiums are calculated on the basis of accurate analyses of risks in most cases. Third-party service providers also assist in assessing the most vulnerable spots within an organization’s cyber infrastructure. “This practice is quite evolved for organizations that are more aware. For smaller firms with little knowledge or exposure to such cases, the practice may take some more time to reach total acceptance,” says he.
According to Na Vijayashankar, the insurance industry at present is not customizing the premium on the basis of client specific risk assessment. “It is mostly dictated by the re-insurance costs,” says he.
Arjun Bhaskaran says the pricing of cyber insurance is now led by MNC insurance companies, which are setting the price benchmarks based on the research and experience of the parent organizations. Indian insurance companies will begin to offer products and prices that clone the early movers. Gradually, the pricing will improve based on actual claims experience and finer assessment of risks, he says.
BASIS EXPOSURE
Insurance company professionals, however, differ. Anurag Rastogi of HDFC ERGO, says like other commercial products, the premium for cyber insurance too is calculated basis the exposure. “The premium rates depend on factors like the scale of operations, limit of insurance cover being purchased, industry risk exposure, data liability exposure, claim circumstances if any and others. The premium rates are usually on the higher side for financial institutions, considering the risk exposure, in comparison to those in the manufacturing or the healthcare sector,” says he.
Cyber insurance premium is calculated based on the cyber security audit that can be a self-audit by the client (via a proposal form and questionnaire) or by insurance company’s team of experts, says Sasikumar Adidamu. “The audit concentrates on the IT systems and processes in place along with previous incidents and changes made in light of any previous incidents. The business continuity plan, IT security policy, cyber security audit process, type and volume of data stored are some of the factors that are considered. While the process is not perfect, it is sufficiently elaborate and detailed to provide the underwriters an accurate picture of the risk. This process too continues to evolve,” he elaborates.
EVOLVING CRIME PATTERNS
How are insurers keeping pace with the fast-changing cybercrime patterns?
Anurag Rastogi says insurance companies are taking cognizance of the ever changing cybercrime patterns and creating covers for safeguarding individuals and corporates alike. “There exists is a huge gap,” he admits, “in the form of optimism bias, which means they think they will continue to remain unscathed by cyberattacks. Hence, the onus lies on the insurance players to create more awareness about the rising threat of security in the virtual space.”
Sasikumar Adidamu emphasizes that insurance companies are regularly training their cyber underwriters along with constantly analyzing cyber incidents. “At Bajaj Allianz General Insurance, we also review various study papers and research published by analysts and insurers/reinsurers on the topic to ensure that we are aware about the constantly evolving cyber risk landscape,” says he.
Jayant Saran of Deloitte feels although insurers are making efforts to keep pace with evolving cybercrime risks and patterns, these risks are increasing at a much faster pace.
Na Vijayashankar says while an attempt is being made and the polices use some broad terms such as identity theft, impersonation etc, it does not matter if the modus operandi changes.
Arjun Bhaskaran is of the view that Indian insurers have just begun to wet their feet in the cyber insurance markets and the real challenge will come when large volumes of policies are issued, and high volume of claims and complexity begin to hit them. “The ability of the Indian insurers to assess and settle cyber insurance claims in a professional and speedy manner, will be tested.”
CREATING AWARENESS
There is need for creating more awareness about cyber insurance and corporates adopting it. Arjun Bhaskaran says most of the potential customers in B2C and B2B segments are unaware about the concept of cyber insurance and its features. Once they get to know about it, most of them show serious interest in buying cyber insurance. He cites how at a seminar of cybersecurity for cooperative banks held in Palakkad, Kerala, most of the audience consisting of management members from over 90 cooperative banks, showed serious interest to procure cyber insurance. He says there is a need for advertisements and promotion, in a joint manner by insurers and brokers to evangelize cyber insurance especially among B2C and B2B segments.
One way of creating more awareness, according to Jayant Saran, is to undertake a thorough study on why an organization may be targeted, various types of sensitive data being held and the likely outcomes of a data breach. Predictable consequences may help automatically create the required awareness to push organizations to secure themselves with cyber insurance.
Na Vi jay as hank ar too says a substantial effort at awareness creation and more particularly making the user industry understand the nuances of cyber insurance is required. “I am trying to work out an arrangement with some academic institutions to develop an outreach program for the purpose,” says he.
Anurag Rastogi concurs, and says this is mainly on account of the optimism bias existing among consumers. “In doing so, insurers are using various channels like social media platforms, newspapers and magazines, radio, road shows, kiosk activity as well as partnering with cybercrime department and cyber experts to drive the importance and create awareness among consumer of cyber insurance among consumers,” he says.
Says Sasikumar Adidamu: “In fact, not many people are aware that cyber insurance for individuals even exists. Many institutions and individuals don’t know how to protect their information from being misused by others because of lack of awareness towards security. I feel that corporates can train their employees on cybercrime and cyber security, both on corporate and individual fronts. Campaigns across all platforms about the risks one is susceptible to due to usage of internet and steps one can take to avoid falling prey to cyberattacks, can also help increase awareness about cyber security. The more people are aware about information security, the less they become targets to cyberattacks, says he.
RISK UNDERWRITING
What goes into the risk underwriting in cyber risk insurance?
Says Sasikumar Adidamu: “For corporates, the underwriting is done on a case to case basis since any two corporates are hugely different from each other in terms of their cyber risk profiles. For Individuals, on the other hand, we have simplified the process and have predefined premiums for different limits.”
Anurag Rastogi says for corporates, the parameters considered are the availability of well-defined IT, BCP and DR policies, type of PIII, PCI and PHI data stored by the company, security measures in each location (low, medium, high) etc.
Na Vijayashankar believes t he underwriting process should start with a proposal form from the insurance seeker with relevant details. “The insurer has to ask for documentation and conduct a pre-underwriting assessment before
providing the quote. At this time, the information security status will have to be evaluated. At present, the companies are trying to develop a model for assessing a proposal and take the necessary decision,” says he.
Jayant Saran describes the process starting with the assessment of the kind of data an organization holds and within this data, understand what can be classified as critical data or applications. “This should be followed by understanding the ownership of the said data and the security infrastructure in place surrounding the usage, dissemination, transfer, and retention of the data with organizations, as well as any third parties involved (in safekeeping the data). Known gaps during the process should be highlighted and various forms of breach should be simulated in a testing environment, to gain an understanding of how the security infrastructure reacts,” he explains.
Arjun Bhaskaran believes cyber insurance underwriting can be done effectively through cooperation / partnership between insurance companies and cybersecurity expert organizations. “Insurance companies need to take the help of cybersecurity experts for (a) conducting a detailed risk assessment of potential cyber insurance B2B customers and cybersecurity experts will be able to conduct a comprehensive analysis of all IT and Security assets, devices, services, etc; (b) cybersecurity experts are required to conduct a forensic investigation into complex cyber insurance claims and provide an independent and comprehensive cyber investigation report; and (c) during the life of the cyber Insurance policy contract, if there is a cybersecurity incident or loss, the insurance company may engage the cybersecurity partners to immediately assist the customer in quelling and minimizing the cyber losses / damages,” says he.
A VIABLE BUSINESS?
Finally, is cyber risk insurance a viable business proposition for Indian insurers?
Anurag Rastogi: With the exponential increase in the rate of cybercrimes, there is great potential in the Indian cyber insurance segment, which has grown by about 30% to 35% in the last one year. Over the last 4 years, we have seen large and mid-sized corporates purchasing commercial cyber insurance products.
Sasikumar Adidamu: Insurers are in the business of paying claims and with correct risk selection and proper pricing any business can be a viable proposition. Cyber insurance is one of the fastest growing segments in the Liability LOB and I expect it to continue to grow exponentially. Therefore, it presents an exciting opportunity for Indian insurers.
Na Vijayashankar: Yes. At present, insurance companies are charging up to 0.75 % on the underwriting amount as premium without making any risk assessment. If a proper risk assessment is done and the policy conditions are properly structured, it is possible to make the business viable even at a lesser rate.
Jayant Saran: Yes, and the future of businesses depends on the evolution of the cyber environment and understanding the risks associated with it. This will be the driver for cyber insurance in India in the near future.
Arjun Bhaskaran: The central premise of cyber insurance is that the cyber risks must be transferred to the agent who can handle or mitigate the cyber risks in a most optimal manner. Therefore, organizations which are most competent in handling and mitigating cyber risks must be in the forefront of cybersecurity exports and in cyber insurance / reinsurance. India is among the top 10 countries that have strong cybersecurity management capabilities, along with USA, UK, Australia, Israel, Russia, France, Germany, Japan, Korea and China.
PROSPECTS FOR INSURERS
For i nsurance companies offering cyber insurance, forensics will play an important role in determining the data loss and measures to be taken to mitigate the damage. In third-party related suits, the extent of loss will be determined basis the confidentiality of the data. Although insurers have the services of claims, legal and IT experts on standby for any eventuality, with few policies in the market and fewer claims, the biggest challenge is a lack of experience. As the number of claims increases, the expertise will nevertheless grow.
Cyber i nsurance covers do not prevent frauds from happening. Buy, they definitely reduce the financial impact caused by such risks. Experts believe these policies are of great assistance as India is on its way to digitization and the internet is becoming the preferred medium for financial transactions. A attack can therefore cause irreparable losses to the corporates, especially banks and financial services institutions. At least part of the loss can be recouped as some of the expenses incurred post-attack like third-party liabilities, counseling and service restoration are paid by the cover. This is besides consultant fees, court expenses and legal fees.
Finally, what is there for insurance companies? Will cyber insurance business be a profitable one for them given the extent of frauds and heists and cyber attacks these days? It will be difficult to say.